Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

serious virus/trojan/spyware/malware


  • This topic is locked This topic is locked
15 replies to this topic

#1 larsenit

larsenit

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 28 March 2010 - 08:01 PM

Hi,

I'm running XP from a dell mini. Sometimes websites suddenly change into a very simplistic view. Antivirus software sites are rerouted to other random or fake antivirus sites. I did/still have the xp security tool 2010 trojan. My search within my computer has been disabled. My security center has been disabled. I cannot download any antivirus software because it says it is either not a Win32 application or there is not enough disc space (when I'm fairly certain there is).

Please help! Here is my Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:02 PM, on 3/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Donny Blake\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EvenMoreMegaSwellAdsForYou - {EB692FE4-6873-09E0-C127-95E8BA2F94FF} - (no file)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Gxigotohunica] rundll32.exe "C:\WINDOWS\apojaxakuqejako.dll",Startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27756073-7B14-42C1-BA8B-D81241B3AE49}: NameServer = 93.188.163.133,93.188.166.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3C2EB64-498F-4C6D-9899-A79796FA96F7}: NameServer = 93.188.163.133,93.188.166.115
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.133,93.188.166.115
O17 - HKLM\System\CS1\Services\Tcpip\..\{27756073-7B14-42C1-BA8B-D81241B3AE49}: NameServer = 93.188.163.133,93.188.166.115
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.133,93.188.166.115
O17 - HKLM\System\CS3\Services\Tcpip\..\{27756073-7B14-42C1-BA8B-D81241B3AE49}: NameServer = 93.188.163.133,93.188.166.115
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.133,93.188.166.115
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: rpcnetp - Unknown owner - C:\WINDOWS\System32\rpcnetp.exe

--
End of file - 5721 bytes


BC AdBot (Login to Remove)

 


#2 larsenit

larsenit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 29 March 2010 - 08:43 PM

Hi,

I seem to be infected with a sophisticated virus. Many websites I am unable to access including antivirus program sites. I am redirected to various other sites. Some sites won't open at all, including my home page. I cannot download and antivirus programs- after downloading, my computer says it is not a win32 file, is not compatible, there is not enough space, or something along those lines. I had the xp security tool 2010 program on my account and created a new one from which to work from in safe mode. Sometimes websites open in a much simpler form, on white background with black text and few images.


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Donny Blake at 21:02:49.43 on Sun 03/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.323 [GMT -4:00]

AV: ClamAV for Windows *On-access scanning enabled* (Updated) {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Donny Blake\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {EB692FE4-6873-09E0-C127-95E8BA2F94FF} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Gxigotohunica] rundll32.exe "c:\windows\apojaxakuqejako.dll",Startup
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.163.133,93.188.166.115
TCP: {27756073-7B14-42C1-BA8B-D81241B3AE49} = 93.188.163.133,93.188.166.115
TCP: {C3C2EB64-498F-4C6D-9899-A79796FA96F7} = 93.188.163.133,93.188.166.115
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli iodhcasp.dll

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-7-28 9856]
S2 rpcnetp;rpcnetp;c:\windows\system32\rpcnetp.exe [2010-3-24 17408]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-7-28 93968]

=============== Created Last 30 ================

2010-03-29 00:58:39 0 ----a-w- c:\documents and settings\donny blake\defogger_reenable
2010-03-28 00:27:17 360 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-03-28 00:27:11 952 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-28 00:26:49 312 ----a-w- c:\documents and settings\donny blake\stsf.bat
2010-03-28 00:18:47 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-03-28 00:14:18 0 d-----w- c:\program files\common files\iS3
2010-03-28 00:14:16 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-03-27 23:20:26 0 d-----w- c:\windows\pss
2010-03-27 23:12:10 0 d-sh--w- c:\documents and settings\donny blake\IECompatCache
2010-03-27 14:02:31 66082 ----a-w- c:\windows\system32\c_10021.nls
2010-03-27 14:02:31 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2010-03-27 13:53:48 0 d-----w- c:\program files\Microsoft Windows OneCare Live
2010-03-27 10:41:36 0 d-----w- c:\docume~1\donnyb~1\applic~1\FrostWire
2010-03-27 10:36:24 0 d-----w- c:\program files\ClamAV for Windows
2010-03-26 11:01:23 44928 ---ha-w- c:\windows\system32\wexe.exe
2010-03-24 14:19:02 0 d-sh--w- c:\windows\system32\lowsec
2010-03-24 05:55:00 0 d-----w- c:\docume~1\donnyb~1\applic~1\Windows Search
2010-03-24 05:54:01 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-03-24 05:54:01 57752 ------w- c:\windows\system32\rpcnet.exe
2010-03-24 05:53:37 13160 ----a-w- c:\windows\system32\Upgrd.exe
2010-03-24 05:53:21 0 d-sh--w- c:\documents and settings\donny blake\PrivacIE
2010-03-24 05:51:44 0 d-sh--w- c:\documents and settings\donny blake\IETldCache
2010-03-24 05:48:34 0 d-----w- c:\docume~1\donnyb~1\applic~1\Windows Desktop Search
2010-03-24 05:48:20 0 d-----w- c:\program files\msn gaming zone
2010-03-24 05:28:28 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-03-23 23:12:06 312 ----a-w- c:\windows\system32\stsf.bat
2010-03-23 23:12:05 456192 ----a-w- c:\windows\system32\ls_sppnh.exe
2010-03-23 22:13:37 375296 ----a-w- c:\windows\system32\emqf.exe
2010-03-23 22:13:36 375296 ----a-w- c:\windows\system32\jctqp.exe
2010-03-23 22:13:09 162816 ----a-w- c:\windows\onktr5010.exe
2010-03-23 21:56:09 120 ----a-w- c:\windows\Myevowuka.dat
2010-03-23 21:56:09 0 ----a-w- c:\windows\Nxerova.bin
2010-03-23 21:53:43 0 d-----w- C:\spoolerlogs
2010-03-23 21:53:03 375296 ----a-w- c:\windows\system32\eyle.exe
2010-03-23 21:53:00 212 ----a-w- c:\windows\system32\winset.ini
2010-03-23 21:52:57 0 ---ha-w- c:\windows\system32\wupd.dat
2010-03-23 21:52:42 164352 ----a-w- c:\windows\Isufea.exe
2010-03-23 21:52:30 6898 ----a-w- c:\windows\system32\WORK.DAT
2010-03-23 21:52:25 25088 ----a-w- c:\windows\system32\0040.DLL
2010-03-23 21:52:12 40320 ----a-w- c:\windows\clku6546.exe
2010-03-23 21:51:55 48128 ----a-w- c:\windows\catko56323.exe
2010-03-17 22:51:42 33792 ----a-w- c:\windows\system32\identprv.dll
2010-03-17 22:51:41 9728 ----a-w- c:\windows\system32\wceprv.dll
2010-03-17 22:51:41 13312 ----a-w- c:\windows\system32\diagdll.dll
2010-03-17 22:36:42 49152 ----a-w- c:\windows\system32\instw32.exe
2010-03-17 22:36:42 32256 ----a-w- c:\windows\system32\instd32.exe

==================== Find3M ====================

2010-03-28 00:40:48 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-24 05:51:36 17408 ----a-w- c:\windows\system32\rpcnetp.dll

============= FINISH: 21:04:29.07 ===============

Attached Files


Edited by Orange Blossom, 29 March 2010 - 11:09 PM.
Merged topics. ~ OB


#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:17 PM

Posted 30 March 2010 - 04:39 AM

Hi larsenit,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Please give me feedback in order to know what is going on at the other end. I see you have scanned the computer in Safe Mode with Networking. Are you not able to boot to normal mode?
    If you can't boot to normal mode you may run ComboFix (step 3) in any mode but when it needed a reboot let it reboot to normal mode.

  2. Make sure the following setting is set as it is supposed to be set:
    • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection (usually Local Area Connection) and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP).
      Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".
    • Click OK twice to save the settings.
    • Tell me if you had to change any setting.

  3. Download ComboFix from one of these locations, but rename it to kit.exe before saving it to your desktop.:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on kit.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#4 larsenit

larsenit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 30 March 2010 - 11:31 AM

Thank you so much for helping, first of all.

I've been using safe mode exclusively because I feel more secure when using it. Is this not the case? I'll turn it off.

I changed the default network connection to what you asked (it's my wireless network connection). No other changes were made. I disabled my firewall and to my knowledge that is my only form of security.

I tried to download combofix from link 1, but my computer said I didn't have enough space on my hard drive. I then used link 2, downloaded, renamed, and saved combofix to my desktop. When I tried to open it, however, I received this message: "C:\Documents and Settings\Donny Blake\Desktop\kit.exe is not a valid Win32 application. Link 3 opens and continuously loads without getting to an actual site (though the address is visible up top- http://subs.geekstogo.com/combofix.exe). It's simply a blank page loading.

#5 larsenit

larsenit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 30 March 2010 - 12:05 PM

When I tried to post that just now, my computer did the same continuous loading thing and I didn't get to see if the post was successful. I closed IE and tried to open it back up and nothing. I couldn't get anywhere. Couldn't open up the control panel. My computer slowed down significantly. Opened Task Manager, saw no suspicious activity. I restarted my computer and now it's running fairly efficiently, moreso than any other time in recent memory.

So, I tried link 3 again. It worked (though the website was the very simple version of a website I described before- everything's stacked to the left in a column with few graphics or pictures- white background- black text- and blue links. Tried to download from mirror 1 and it didn't work (with the cannot copy message following)- tried again it worked- tried to open- same win32 message. Tried mirror two- received "Cannot copy file: cannot read from source file or disc" message. Tried again- worked- win32 message.

Also, I'm constantly being reminded by my computer to free up disc space because I don't have enough. I checked and apparently all 7.07 GB of my hard drive are full, but I've run a bunch of disc clean-ups the last few days (before starting this) and have removed and added files (before this and in compliance with this).

So, where do I go from here?

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:17 PM

Posted 30 March 2010 - 01:56 PM

QUOTE
I've been using safe mode exclusively because I feel more secure when using it. Is this not the case? I'll turn it off.

It is just a misunderstanding. In Safe Mode with Networking your antivirus is disabled and you have less security than in normal mode.
Tell me also if you are using msconfig (Configuration Utility) to get to Safe Mode? If yes you should use F8 key at start up otherwise if you use msconfig to get to Safe Mode and you couldn't get to it you lock yourself and there is no way to boot any more to any mode.

Did you tried to run Combofix in Safe Mode with networking or in normal mode. Please give me that kind of feedback. It doesn't matter if you run the tools in Safe Mode when they can't run in normal mode.

  1. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  2. Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Copy and paste or type the following in the Custom Scans/Fixes:
      msconfig
      drivers32
      %SYSTEMDRIVE%\*.exe
      /md5start
      iaStor.sys
      atapi.sys
      AGP440.sys
      /md5stop
      %systemroot%\*. /mp /s
    • Click Run Scan button.
    • Two reports will open, copy and paste them to your reply:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized


#7 larsenit

larsenit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 31 March 2010 - 09:44 AM

Yes, I did use msconfig to open safe mode. I have turned it off.

I'm not sure whether I initially tried to run combofix in safe or normal mode, but I have now tried to run it in normal mode and it didn't work. Downloading CC cleaner didn't work and running OTL didn't work- I received the not a valid Win32 application for both.

Perhaps I'm missing an application? When I was trying to fix this problem myself, I deleted some files. Maybe I deleted something crucial to running some applications?

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:17 PM

Posted 31 March 2010 - 11:59 AM

It takes two to tango.

QUOTE
Downloading CC cleaner didn't work and running OTL didn't work- I received the not a valid Win32 application for both.

This is a heavily infected computer and your feedback is not helping me. What does this tell me? Just one thing; it didn't work. I need to know what you did, Where you did it (like in normal mode or safe mode), etc.
This is a heavily infected computer and your full and detailed feedback is needed.
  1. Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
    • Log to your usual account.

  2. Try to do run OTL.exe from there. If it did not worked rename it to clear.com and run it. Tell me everything you do.

  3. If you could not run OTL go to Start =>Run type cmd in the run box and click Enter. Tell me what you see.


#9 larsenit

larsenit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 31 March 2010 - 07:53 PM

I'm sorry. I'm trying to be as descriptive as possible. I will try harder.

Ok, back in safe mode. Couldn't do it by tapping the F8 key- just didn't happen. Went through msconfig. I tried opening OTL.exe. Received this message: "C:\Documents and Settings\Donny Blake\Desktop\OTL.exe is not a valid Win32 application." It's a gray box with a blue bar with the OTL location in white in it. My only options are the corner x and an ok button. It has a red circle with a white x as a logo on the left.

I renamed OTL to clear.com. I tried to run it and received the same 'C:\Documents and Settings\Donny Blake\Desktop\clear.com is not a valid Win32 application' message.

Each time I try to open the application, or any application, I get the following message- gray box, blue heading with 'open file - security warning' in white. The message says "The publisher could not be verified. Are you sure you want to run this software?" This is followed by a column of categories: "Name: clear.com.exe" over "Publisher: (in bold:)Unknown Publisher" over "Type: Application" over "From: C\Documents and Settings\Donny Blake\Desktop" there are two buttons: run and cancel. There is an "always ask before opening this file" option which is checked to the left. To the left of these categories is a .exe application icon. There is a line, under which says: "This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust." Then a link: "How can I decide what software to run?" There is an all red security shield icon to the left of this with a white x in the middle. When I click the link I get an hour glass, then nothing. When I right click the link, nothing happens.

I ran cmd. It is a black MSDOS type screen. blue heading- in white letters: C:\WINDOW\system32\cmd.exe

On the screen, top left:

Miscrosoft Windows XP [Version 1.5.2600]
Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Donny Blake>(blinking underscore here)

After this message, there's a very long black space underneath you can scroll through. There is nothing besides this message to be seen. If I press enter, the C:\Documents and Settings\Donny Blake> replicates once.

I can minimize, maximize (then restore) or x out of this screen.

Meanwhile, I get a Low Disk Space message in the bottom right corner of my screen every few minutes prompting me to run disk clean up.

also, all websites in normal mode are in the simple version now. When I first ran safe mode, all the websites were normal. They just switched to the simple version.

Edited by larsenit, 31 March 2010 - 07:55 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:17 PM

Posted 01 April 2010 - 01:34 PM

Thanks for the detailed feedback.

Let's see if we can fight these nasty infections without those tools. Make sure you do this all in one session. You might need a minimum 30 minutes to do this all.

QUOTE
Each time I try to open the application, or any application, I get the following message- gray box, blue heading with 'open file - security warning' in white.

There is a workaround for that for now and later on if we needed to run an application. Right-click the application (in this case OTL) and select Properties
select Unblock and click OK.
  1. Open a notepad (Start > Run and type in Notepad and press Enter).

    Copy and paste the text in code box into it.

    CODE
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
    "NameServer"=-

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{27756073-7B14-42C1-BA8B-D81241B3AE49}]
    "NameServer"=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C3C2EB64-498F-4C6D-9899-A79796FA96F7}]
    "NameServer"=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Gxigotohunica"=-

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcnetp]
    "Start"=dword:00000004

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Notification Packages"=hex(7):73,63,65,63,6C,69,00,00

    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm. It should look like
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.

    Note: You have to turn off any registry protector software you have in order the changes to be taken place.


  2. Once more make sure the following setting is not altered by the malware again:
    • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection (usually Local Area Connection) and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP).
      Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".
    • Click OK twice to save the settings.
    • Tell me if the malware had changed the settings again.

  3. Make the fix.bat file as instructed in the PM I have send you. Run it just once by double-clicking. It produces a log. Post the log later on to your reply. If you have run the batch file from your desktop the log will be saved there.

  4. Disconnect the computer from internet. Reboot the computer in the Safe Mode and run the batch file once more. It should produce a new log. Post the log later on to your reply.

  5. Connect the computer to internet.

  6. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


    Note:
    In case malware prevented the mbam-setup.exe file from installing rename it to something.exe

    In case malware prevented it from updating or running using Windows Explorer (right-click start > Explorer) navigate to the following folder: C"\Program Files\Malwarebyte' Anti-Malware
    Locate the file mbam.exe and rename it to clear.exe then double-click to run it.

    In case the Malwarebytes exe gets deleted by the malware (Code 2 error, mbam.exe not found) download a randomized renamed mbam.exe version from here.
    Place the renamed mbam.exe in the Program Files\Malwarebytes' Anti-Malware folder and run the renamed file from there directly instead of using the shortcut.


#11 larsenit

larsenit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 02 April 2010 - 07:14 PM

Ok, so I did everything exactly up until fix.bat. btw, the network connection settings were unchanged since last time.

Here's the problem: When I tried to run fix.bat, I got this message in notepad: log 1 - Notepad (reading:)"There is not enough space on the disk.
0 file(s) copied."

Then I though I could remove some software I don't urgently need (microsoft office plus, itunes, adobe flash, etc.). I was hesitant to change anything on my computer, but you said to do it all in one session so I went ahead with it, however, I was unable to remove anything, I think maybe because I'm in safe mode (which is good, because I felt like I needed to ask you if it was ok to do it anyway).

I received this message (blue bar, gray box, red circle white x icon): NSIS Error (in heading): "The installer you are trying to use is corrupted or incomplete. This could be the result of a damaged disk, a failed download or a virus.

You may want to contact the author of this installer to obtain a new copy.

It may be possible to skip this check using the /NCRC command line switch (NOT RECOMMENDED)."

Also, on the task bar, this message is displayed as NSIS Error with a red box/briefcase-like icon with a white chili pepper or flash player icon in the middle (perhaps because I was trying to uninstall adobe flash player).

Then, I decided to disable my internet, go into normal mode (assuming I couldn't uninstall because I was in safe mode), uninstall some programs, then come back to this, but when I tried to disable my internet, I received this message:

(blue heading, gray box, yellow triangle with black exclamation point icon to left) Error Disabling Connection (heading): "It is not possible to disable the connection at this time. This connection may be using one or more protocols that do not support plug-and-play, or it may have been initiated by another user or the system account."

Remember, I am in safe mode with networking during all of this.

You said to run this all in one sitting, so since it didn't work this time, is the fix.bat still valid?

Thanks again for all the help. I can't thank you enough for your time.

Edited by larsenit, 02 April 2010 - 07:16 PM.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:17 PM

Posted 02 April 2010 - 09:59 PM

Thanks for the detailed feedback.

I have doubt about if the lack of disk space is a problem. There is possibility of a file infector or the malware is preventing all those actions.

But still you can manually remove some unneeded files. You can remove OTL.exe and ComboFix.
Go to Start =>Run type cleanmgr and press Enter. You get a pop up window and drive C is checked. Click OK. Check all the items except Compress Old Files. Then click OK and Yes to confirm.

Please tell me if you have another computer we can use to communicate and keep the infected one disconnected. Also tell me if you have a Windows installation CD.
How can you disconnect the computer if it didn't allowed you to do it from the settings inside the computer. Do you have a router?

I'll send you a prefix via PM.

First go to Safe Mode and run prefix.bat, then reboot and run fix.bat and post the log it makes.

#13 larsenit

larsenit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 04 April 2010 - 08:09 PM

Files and folders removed:
c:\windows\system32\drivers\kgpfr2.cfg Removed Successfully
c:\windows\system32\drivers\kgpcpy.cfg Removed Successfully
"c:\documents and settings\donny blake\stsf.bat" Removed Successfully
c:\windows\system32\c_10021.nls Removed Successfully
c:\windows\system32\ftlx041e.dll Removed Successfully
c:\windows\system32\wexe.exe Removed Successfully
c:\windows\system32\rpcnet.dll Removed Successfully
c:\windows\system32\rpcnet.exe Removed Successfully
c:\windows\system32\Upgrd.exe Removed Successfully
c:\windows\system32\rpcnetp.exe Removed Successfully
c:\windows\system32\stsf.bat Removed Successfully
c:\windows\system32\ls_sppnh.exe Removed Successfully
c:\windows\system32\emqf.exe Removed Successfully
c:\windows\system32\jctqp.exe Removed Successfully
c:\windows\onktr5010.exe Removed Successfully
c:\windows\Myevowuka.dat Removed Successfully
c:\windows\Nxerova.bin Removed Successfully
c:\windows\system32\eyle.exe Removed Successfully
c:\windows\system32\winset.ini Removed Successfully
c:\windows\system32\wupd.dat Removed Successfully
c:\windows\Isufea.exe Removed Successfully
c:\windows\system32\WORK.DAT Removed Successfully
c:\windows\system32\0040.DLL Removed Successfully
c:\windows\clku6546.exe Removed Successfully
c:\windows\catko56323.exe Removed Successfully
c:\windows\system32\identprv.dll Removed Successfully
c:\windows\system32\wceprv.dll Removed Successfully
c:\windows\system32\diagdll.dll Removed Successfully
c:\windows\system32\instw32.exe Removed Successfully
c:\windows\system32\instd32.exe Removed Successfully
c:\windows\system32\rpcnetp.dll Removed Successfully
C:\WINDOWS\apojaxakuqejako.dll Removed Successfully
c:\windows\system32\lowsec Removed Successfully
C:\spoolerlogs Removed Successfully
==============
Moved Files Or Folders:


I do not have another computer. I could use a one of my roomates' but that might be cumbersome and unwanted. I'm not sure if I have a windows CD or not, though I suppose I should. I only got this computer about a year ago, if that, so there should be one floating around. If not, one of my roomates may have one.

"How can you disconnect the computer if it didn't allowed you to do it from the settings inside the computer. Do you have a router?"

I'm not sure what you mean, but yes, I do have a wireless router, though two other people are also using it. I suppose I could shut it off for a time while I work with the computer, then turn it back on while it's off.

Edited by larsenit, 04 April 2010 - 08:12 PM.


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:17 PM

Posted 05 April 2010 - 05:02 AM

Thanks for the feedback. The reason I asked about the connection is that the computer is heavily infected and there no any kind of protection on it. Being connected to internet means the malware silently downloads bad stuff more and more until the computer can't be cleaned any more. It is not just when doing the fixes we need to be disconnected. Unless the computer is not cleaned it should be kept unused and disconnected to internet.

QUOTE
First go to Safe Mode and run prefix.bat, then reboot and run fix.bat and post the log it makes.

Did you apply the fix.bat? The one you made previously? If not please do it also in Safe Mode once and post the log it makes.



#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:17 PM

Posted 09 April 2010 - 06:36 AM

Are you still there?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users